TAIPEI — A new paper commissioned by the US-China Economic and Security Review Commission (USCC) explores cloud computing in China and the implications for US defense and security.
“Red Cloud Rising: Cloud Computing in China” was written by the Center for Intelligence Research and Analysis (CIRA). Headed by China analyst James Mulvenon, the CIRA is under the Washington-based Defense Group, Inc.
“Red Cloud Rising” surveys Chinese government support for creating domestic cloud computing industry and the security implications for the US government and businesses. The paper looks at the complex ecosystem of government institutions, research institutes, private sector companies, state-owned enterprises, and intelligence and military organizations that encompass China’s cloud computing industry.
The report, issued Sept. 5, states “the Chinese government plans to make more than $1 billion available over the next few years to drive cloud computing development,” and this investment will allow China’s cloud computing industry to expand to between $122 billion and $163 billion by 2015.
The report provides new details about the relationship between the Chinese military and intelligence services with China’s cloud computing development efforts.
USCC Commissioner Larry Wortzel said the report warns that China-based cloud computing services may present significant security concerns for the US, especially if US companies are storing data on Chinese cloud networks.
The People’s Liberation Army (PLA) is working to leverage cloud computing skills that help the military’s “informatization” efforts, including connecting and integrating the military’s many systems into a single information technology framework. China’s civilian foreign intelligence collection organization, the Ministry of State Security (MSS), oversees projects aimed at bringing foreign cloud computing investment to China.
One area of concern, cited in the report, is the Microsoft and 21Vianet cloud computing partnership, which could provide a way for US companies to access China’s cloud computing network. China’s 21Vianet is a data center services provider, which is incorporated in the Caymen Islands to avoid telecommunications ownership restrictions. Microsoft has agreed to provide 21Vianet with Office 365, Software as a Service, and Windows Azure. Microsoft’s current plan is to allow Chinese cloud computing centers operated by 21Vianet to be fully integrated into Microsoft’s global cloud computer network, which includes Europe and North America.
The report said this was “alarming” and “even small-scale requests for sensitive information may cause security concerns.” The report reminds the reader that in the past Microsoft had provided the Chinese government with the “full source code for Microsoft Windows and other core products, which may have enabled the PLA and Chinese intelligence services to more effectively penetrate and exploit foreign systems and infrastructure.” This danger would be further raised by Windows Azure’s global data centers. “If Microsoft’s Chinese and non-Chinese cloud data centers are interconnected in the manner currently planned, there is a risk that any legal demands the Chinese government makes of 21Vianet to access and monitor its data-center operations may in turn allow the Chinese government to access foreign data centers outside China through Microsoft’s Windows Azure network.”
Even more disturbing is the direct involvement of the Chinese intelligence services in government-led cloud computing development. For example, although the Chongqing Special Cloud Computing Zone project was being overseen by the municipal government, the approval process for setting it up has gone through the MSS. A letter sent by the MSS to Chongqing officials stated that the MSS was working to “actively support and coordinate with” the municipal government on an ongoing basis. The MSS would provide “leading guidance and corresponding requirements.”
Beyond espionage, the PLA is working to modernize its battlefield command integration capabilities via its “informatization” program. “Cloud computing technology directly supports the deployment and operation of ICPs [Integrated Command Platforms], and the PLA organization most responsible for ICP development, the General Staff Department’s 61st Research Institute, is also actively conducting research into military cloud computing.”